Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?

Article Source: Cybersecurity and Privacy in a Globalized World: Building Common Approaches, Randal Milch and Sebastian Benthall, eds., New York University School of Law (e-book), pp. 60-75, 2019
Publication Date:
Time to Read: 2 minute read
Written By:



United States’ law requires firms to turn electronic evidence over to law enforcement even when the data is stored in another country. The law may conflict with European privacy law, which limits data transfers to foreign governments.


Policy Relevance:

European Data Protection authorities should clarify application of European privacy law to criminal evidence.


Key Takeaways:
  • Before passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Microsoft refused to turn over the emails of a criminal suspect to authorities in the United States, because the emails were stored in a data center located in Ireland.
  • The CLOUD Act amended the United States’ Stored Communications Act (SCA), requiring firms to transfer data in response to orders or warrants issued by authorities in the United States, regardless of whether the data is located within or outside of the United States.
  • The EU’s General Data Protection Regulation (GDPR), which took effect in May, 2018, limits the transfer of EU personal data to foreign governments, and may conflict with the SCA.
  • Under article 48 of the GDPR, the orders of non-EU courts and warrants are enforceable only according to processes established by international agreements such as mutual legal assistance treaties; however, article 49 also allows transfers “for important reasons of public interest.”
  • The European Commission (EC) suggests that serious criminal law enforcement efforts generally satisfy article 49; however, the European Data Protection Board (EDPB) takes a narrower view, suggesting that transfers of data under article 49 must be in the interest of the EU member state.
  • Ambiguous EC and EDPB statements leave Internet and Cloud Service Providers in an uncomfortable position.
    • Firms should not transfer EU data to the United States if the SCA warrant does not involve a serious crime.
    • Firms should ask courts to address the conflict between the SCA and the GDPR.
  • EU Legislators and the EDPB should provide clearer guidance in the future; an agreement between the EU and the United States on cross-border access to electronic evidence could resolve this issue.



Théodore Christakis

About Theodore Christakis

Théodore Christakis is Professor of International and European Law at the Université Grenoble Alpes. Additionally, he is the Director of the Centre for International Security and European Studies (CESICE) and Co-Director of the Grenoble Alpes Data Institute. Professor Christakis’ research and teaching interests include international security law, international protection of human rights, cyber security law and data protection, and artificial intelligence.

See more with Theodore Christakis